Android Testing
This guide covers Android application penetration testing. Where possible, I have included procedures for Android versions up to 15. I use rooted Pixel devices during any penetration testing engagments, as well as Corellium virtual device as needed.
Android Security
With each major Android release, Google updates the developer security guide. This guide describes the overall implementation of security features - both hardware and software - for the latest release. To fully understand the security features of Android, it is recommended that you read through the security guide.
The latest guide is located at: https://developer.android.com/topic/security/best-practices
OWASP Mobile Top 10 (2024)
M1: Improper Credential Usage
M2: Inadequate Supply Chain Security
M3: Insecure Authentication/Authorization
M4: Insufficient Input/Output Validation
M5: Insecure Communication
M6: Inadequate Privacy Controls
M7: Insufficient Binary Protections
M8: Security Misconfiguration
M9: Insecure Data Storage
M10: Insufficient Cryptography
OWASP Mobile Testing Guide
OWASP produces a very good mobile application penetration testing guide. It covers both Android & iOS, and is frequently updated. For a more complete guide of testing procedures, I highly recommend that you use the OWASP guide during any testing engagements!